Annegret Bendiek is a senior associate at the German Institute for International and Security Affairs (SWP).
It’s cliché to say that we are increasingly dependent on internet-enabled technologies. Nevertheless, Europe is struggling to keep up. Shrinking budgets limit European countries’ ability to invest in building resilience against cyberattacks. The interconnectedness of critical infrastructure, along with the coming internet of things, forces European policy makers to consider the following question: how we protect and create resilient critical infrastructure?
Finding an answer to this question is politically fraught. Security experts who adhere to the realist school of international relations theory argue that policymakers must accept the increasing militarization of cyberspace. They argue that states must build up their offensive and defensive cyber capabilities. This view has gained currency in a number of countries, as strategic planners issue national security policies with a cyber component. Likewise, the European Union and NATO have begun corralling their respective members to establish common defensive capabilities. It is also hard to overlook the reemergence of the state in cyberspace as they emphasize their digital sovereignty.
More liberal minded scholars warn that the build-up of offensive capabilities only repeats the mistakes of the past. It will foster mistrust, lead to a new arms race and might even lead to the internet’s fragmentation as states assert their sovereignty. A free, open and trustworthy internet is an important global public good, and an offensive build-up puts that at risk. Following up on the approach of work under the auspices of the United Nations and Organization for Security and Cooperation in Europe (OSCE), much of policymakers’ attention has been focused on finding agreement common norms for state behavior in cyberspace with mixed success.
Recently U.S. and EU officials have been adapting concepts found in the law of state responsibility, which sets out how and when a state is responsible for a breach of its international obligations, to promote certain cyber norms. For example, policymakers across the Atlantic are promoting the idea of state responsibility—states are responsible for the cyber activity originating from their territory. The UN Group of Governmental Experts on cyber issues picked up and endorsed this idea in its 2015 report, and will likely expand on this notion when its work resumes later this year.
As the European Union will update its 2013 cybersecurity strategy, and will extend it to a “strategy for cyberspace” it should make the norm of state responsibility a cornerstone. A number of member states are developing their offensive and defensive capabilities, making an EU-wide strategy essential to ensure that their actions are compatible with norms that support a free, open, and trustworthy internet. The European Union can promote state responsibility in cyberspace in three ways:
- EU coordination. Since 2003, EU officials have coordinated their cyber efforts through a Friends of the Presidency Group on Cyber Issues. Having this group agree to a common position on the norm of state responsibility would give the European External Action Service—the European Union’s diplomatic corps—a common message and outreach strategy with which to build support. The External Action Service’s work can be supported by the European Network and Information Security Agency, the authoritative reference for cybersecurity in the European Union.
- Transatlantic support. Making states responsible for their cyber activities is only possible if states can attribute offensive cyber incidents. Despite their differences on privacy, espionage, and surveillance, the European Union and the United States need to cooperate to solve the attribution problem. One way they could do this is by supporting an effort to create an independent court of arbitration with the forensic capabilities to identify parties responsible for offensive cyber activities. An independent third party would improve the credibility of attributing an incident to a particular state thereby making it responsible.
- Military restraint. Under international law, if a state has had its sovereignty violated, it is entitled to use all necessary and proportionate means to terminate that violation. This would apply in cyberspace, where a targeted state could engage in what has been dubbed “active defense” to end an ongoing cyberattack started by another state. Although taking these types of countermeasures are legal under international law, in practice, responses of this kind easily run the risk of escalation, possible legal breaches, and undermining the tradition of military restraint in foreign and security policy. To avoid this, EU member states should ensure that their respective militaries remain committed to a defensive approach, and promote this posture within NATO, the OSCE and other multilateral security institutions.
The internet is too precious and important to be left to the realists and to those who can only think in the categories of conflict and confrontation. A transatlantic initiative is required to ensure that it remains free, open and trustworthy. Without this, we might wake up one day and see that the cyber world of the twenty-first century looks dangerously similarly to political world of the nineteenth century.